InfraStruxure Central utilizes Java which can contain vulnerabilities. The information below goes over known issues and resolutions where applicable.

Resolution:

Security Vulnerabilities in the Java Runtime Environment related to the processing of XML Data. [1]

Problem Summary
A vulnerability in the Java Runtime Environment related to the processing of XML data may allow unauthorized access to certain URL resources (such as some files and web pages) or a Denial of Service (DoS) condition to be created on the system running the JRE. A second vulnerability in the Java Runtime Environment with processing XML data may allow an untrusted applet or application that is downloaded from a website unauthorized access to certain URL resources (such as some files and web pages).

Mitigating Factors
The InfraStruXure Central Client installer does not associate the packaged JRE with the local system’s web browser and does not include the packaged JRE in the standard execution path. Therefore, it is very unlikely for an untrusted applet to execute in the context of the APC installed JRE unless the system administrator manually configures the system to do so. Also, although InfraStruXure Central does allow the uploading of XML data, the data must adhere to strict guidelines before being processed, making the likelihood of malicious code execution low.

Recommendations and workarounds:
Download and install the newest JRE to all machines running the InfraStruXure Central Client (http://java.com/). When it becomes available, upgrade the InfraStruXure Central Server using the next regularly scheduled product update.

A Security Vulnerability with the processing of fonts in the Java Runtime Environment may allow Elevation of Privileges. [2]

Problem Summary
A buffer overflow security vulnerability with the processing of fonts in the Java Runtime Environment (JRE) may allow an untrusted applet or application to elevate its privileges. For example, an untrusted applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet.

Severity Risk
No risk.
Affected Products
None

Mitigating Factors
The InfraStruXure Central Client uses one font throughout all user input fields. The InfraStruXure Central Client installer does not associate the packaged JRE with the local system’s web browser and does not include the packaged JRE in the standard execution path. Therefore, it is very unlikely for an untrusted applet to execute in the context of the APC installed JRE unless the system administrator manually configures the system to do so. Also, InfraStruXure Central does not utilize applets.

Recommendations and workarounds
Download and install the newest JRE to all machines running the InfraStruXure Central Client (http://java.com/).

Problem Summary
A vulnerability in the Java Runtime Environment relating to scripting language support may allow an untrusted applet or application to elevate its privileges. For example, an untrusted applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet. A second vulnerability in the Java Runtime Environment relating to scripting language support may allow an untrusted applet to access information from another applet.

Severity Risk
None
Affected Products
None

Mitigating Factors
The InfraStruXure Central Client installer does not associate the packaged JRE with the local system’s web browser and does not include the packaged JRE in the standard execution path. Therefore, it is very unlikely for an untrusted applet to execute in the context of the APC installed JRE unless the system administrator manually configures the system to do so. Also, InfraStruXure Central does not utilize applets.

Recommendations and workarounds
Download and install the newest JRE to all machines running the InfraStruXure Central Client (http://java.com/).

Problem Summary
Buffer overflow vulnerabilities in Java Web Start may allow an untrusted Java Web Start application to elevate its privileges. For example, an untrusted Java Web Start application may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted application. A vulnerability in Java Web Start may allow an untrusted Java Web Start application downloaded from a website to create arbitrary files with the permissions of the user running the untrusted Java Web Start application. A vulnerability in Java Web Start may allow an untrusted Java Web Start application downloaded from a website to create or delete arbitrary files with the permissions of the user running the untrusted Java Web Start application. A vulnerability in Java Web Start may allow an untrusted Java Web Start application to determine the location of the Java Web Start cache.

Problem Summary
A vulnerability in the Java Management Extensions (JMX) management agent included in the Java Runtime Environment (JRE) may allow a JMX client running on a remote host to perform unauthorized operations on a system running JMX with local monitoring enabled.

Severity Risk
None
Affected Products
None

Mitigating Factors
InfraStruXure Central does not utilize JMX

Recommendations and workarounds
None

Security Vulnerability in JDK/JRE Secure Static Versioning. [6]

Problem Summary
Secure Static Versioning was introduced in JDK and JRE 5.0 Update 6. With this feature, after the installation of a JRE 5.0 Update 6 or later release, applets are not allowed to run on an older release of the JRE. Due to a defect in the implementation, if an older release is subsequently installed, applets may run on that older release.

Security Vulnerability in the Java Runtime Environment Virtual Machine may allow an untrusted Application or Applet to Elevate Privileges. [7]

Problem Summary
A vulnerability in the Java Runtime Environment Virtual Machine may allow an untrusted application or applet that is downloaded from a website to elevate its privileges. For example, the application or applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted application or applet.

Severity Risk
None
Affected Products
None

Mitigating FactorsThe InfraStruXure Central Client installer does not associate the packaged JRE with the local system’s web browser and does not include the packaged JRE in the standard execution path. Therefore, it is very unlikely for an untrusted applet to execute in the context of the APC installed JRE unless the system administrator manually configures the system to do so. Also, InfraStruXure Central does not utilize applets.

Recommendations and workarounds
Download and install the newest JRE to all machines running the InfraStruXure Central Client (http://java.com/).

Security Vulnerabilities in the Java Runtime Environment may allow Same Origin Policy to be Bypassed. [8]

Problem Summary
Security vulnerabilities in the Java Runtime Environment may allow an untrusted applet that is loaded from a remote system to circumvent network access restrictions and establish socket connections to certain services running on machines other than the one that the applet was downloaded from. This may allow the untrusted remote applet the ability to exploit any security vulnerabilities existing in the services it has connected to.

Severity Risk
None
Affected Products
None

Mitigating Factors
The InfraStruXure Central Client installer does not associate the packaged JRE with the local system’s web browser and does not include the packaged JRE in the standard execution path. Therefore, it is very unlikely for an untrusted applet to execute in the context of the APC installed JRE unless the system administrator manually configures the system to do so. Also, InfraStruXure Central does not utilize applets.

Recommendations and workarounds
Download and install the newest JRE to all machines running the InfraStruXure Central Client (http://java.com/).

Exploitation and Public AnnouncementsAPC is not aware of any malicious use of the vulnerabilities described in this advisory.

Status of this notice: ACTIVE

THIS IS AN ACTIVE ADVISORY. ALTHOUGH APC CANNOT GUARANTEE THE ACCURACY OF ALL STATEMENTS IN THIS NOTICE, ALL OF THE FACTS HAVE BEEN CHECKED TO THE BEST OF OUR ABILITY. APC DOES NOT ANTICIPATE ISSUING UPDATED VERSIONS OF THIS ADVISORY UNLESS THERE IS SOME MATERIAL CHANGE IN THE FACTS. SHOULD THERE BE A SIGNIFICANT CHANGE IN THE FACTS, APC MAY UPDATE THIS ADVISORY. A STAND-ALONE COPY OR PARAPHRASE OF THE TEXT OF THIS SECURITY ADVISORY THAT OMITS THE DISTRIBUTION URL IN THE FOLLOWING SECTION IS AN UNCONTROLLED COPY, AND MAY LACK IMPORTANT INFORMATION OR CONTAIN FACTUAL ERRORS.

IN NO EVENT SHALL EITHER APC, ITS OFFICERS, DIRECTORS, AFFILIATES OR EMPLOYEES, BE LIABLE FOR ANY SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY KIND INCLUDING, BUT NO LIMITED TO, LOSS OF PROFITS ARISING OUT OF THE USE OR IMPLEMENTATION OF THE INFORMATION CONTAINED HEREIN HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN AN ACTION FOR CONTRACT, STRICT LIABILITY OR TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, WHETHER OR NOT APC HAS BEEN ADVISED OR THE POSSIBILITY OF SUCH DAMAGE AND NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY REMEDY.

Distribution
This bulletin and any future updates will be posted to APC's website.